Hello guys and welcome to another video of our tutorials.
If you find anything helpful in this post or funny, will you please leave a like because you will feel great helping other people find it?
In this tutorial I’m going to show you how to install and to use TcpDump and some useful commands related to it.
So to start we’re going to use the terminal window and now we can try to search for TcpDump in order to install it.
Usually you have to do this as root, but as I said in Kali you are usually root anyways, because most of the tools you’re going to use will require root.
So what I have to do is type apt search tcpdump and this will give me a lot of results related to TcpDump and will as well also give me the TcpDump packet itself.
There it is.
So if I want to install it, all I have to do is type apt install tcpdump, hit ENTER and it’s going to go through the installation process.
Now, in this case it tells me that it’s already installed and I have the current version which is 22.214.171.124.
All right. So we can move forward with the TcpDump usage. But before we do that you should go and check if your network adapter is in promisc mode.
To do that, as we stated before, you need to use netstat.
The command here is netstat –i. And there it is. My ethernet adapter here is having a p flag which means promisc.
Now, we want to start listening on different interfaces for packets and especially on the ethernet interface. Because in our case if we use ifconfig we will see that we have two interfaces. One is the ethernet interface and the other one is a loopback.
So we’re not really interested in the loopback, because there isn’t much traffic going on there. We are interested in the ETH interface.
So to start listening on the ETH interface, we have to type the following command.
And as I said you have to do it with root or sudo or power user, but as it is in Kali you’re already root.
So tcpdump -i eth0.
This will be the most basic type of command. When you do that it starts listening and you can already see the traffic going on.
But if we stop that, you can have a look and see that the time format is not really clear.
The ports and the destinations seem to be already resolved to some part and there isn’t a lot of information from the packet itself.
So yeah, we have statistics of course, 72 packets captured and so on and so on.
What we want to do is type the following command to get a little bit more information from TcpDump.
So we use again -i for eth0, because this is the interface we’re interested in and then we type -nn again.
What will this do? Well typing the first single ‘n’ will not resolve the host names. Meaning that if we are going to have traffic for example, to Google it will not give us the Google DNS or name or the FQDN, it will give us the Google IP address instead. Which is okay. It’s better if you’re doing some sort of analysis of the traffic and you don’t want to get this information from the resolver here, but you want to do it yourself or something like that.
If we do the nn it will also not resolve the ports which is also handy when you’re viewing the traffic and the IP port numbers are also here in the capture.
So that would be the one part of the command. Then we want to do -s0.
And -s0 means SNAP length is set of the size of the package to 0. Which will virtually mean it’s unlimited size of packets.
Because it might also put some limit on the packet size and you might not get the full length of the packet, but in this case -s0 you get the full packet.
The other one we want to add would be -v which is for verbose representation.
And you can also increase that with another ‘v’ if you want to have more verbose output, but let’s just keep it to ‘v’ for now.
And then let’s say we want to monitor traffic on a specific port. And that’s the cool part. You can actually apply the filters of the package that you probably can do in Wireshark. You can apply those before you even capture and create the packet capture.
So basically if I say port 80, this filter and this command will only capture traffic on port 80.
And since I don’t have any traffic going on on port 80 here it stays empty.
But if I open Firefox and start browsing the web to pages that are on port 80, you can see what’s going on here. There are some packets going on.
You can see the source, you can see the destination, flags, checksums. All information that you might want to see is here.
Another thing you can do is run TcpDump and look for ASCII information. ASCII encoding. Like for example, let me just give you a quick overview.
This is the command if you want to see the capture in ASCII.
As you see here this is the ASCII representation of the traffic that’s going on. All the pings and all the heartbeats and everything that Firefox is doing right now is going through TcpDump on port 80.
You can see HTTP request which got a 200 response and these are the responses. So the information you can see here is available.
Another command that we can use is for example, filtering by host. And in this situation we’ll have to use the following filter which is the host, which is the 192.168.1.16, the host of this machine. This is actually the IP address of this machine.
Or if you want you can use the gateway of the network and listen for traffic from the gateway on this ethernet adapter.
Unfortunately we don’t have any traffic that we can capture here, because we’re listening in a passive mode and there won’t be anything that we can capture.
But what we can do if we can skip those filters, go back to the first command, remove the port, use the ‘v’ and then use ‘x’ to see the traffic in hex.
There it is. You can see the hexadecimal representation of the traffic which is in many cases useful as much as the ASCII representation.
Now, if it’s hard for us to look at the traffic this way, which we can all agree on that, we can store the traffic into a pcap file. Same thing that we can do with Wireshark, we can do with TcpDump and it’s pretty, pretty powerful.
So let’s just pipe this traffic and pipe it to a file. Now, the option here to pipe it to a file as it is, is just use the -w and then for the output we can use for example, test.pcap.
Now, we don’t see the actual traffic going on here. We can only get the statistics as it’s seen here. But it says that there are 40 packets, 44 packets and all these are written to the test.pcap file.
For example, if we open another terminal window and if we do a check of the size of the pcap file it’s 12 kilobytes.
And if we are watching it for a while, it should eventually grow to a bigger file, because packets are stored in there. But keep in mind that this is text so it’s slowly growing.
But still if you do a packet capture for a long time, especially on a busy network and especially in promisc mode you can rest assured that this file will grow very big very quickly and you should keep that in mind, because this can cause you troubles.
Okay, I’m stopping the monitoring of the packet increase. I can stop the capture as well and we see how many packets we have captured. None of them were dropped by the kernel.
And if we want to analyze these packets now what we need to do is actually use another command of TcpDump which is tcpdump -tttt -r ./test.pcap.
Now I’m going to explain the tttt and what it is and let me just show you the results and then we can go back to the flags.
For example, if we want to see that like slowly moving on you can use the pipe tool less command -S for example.
It will show you all the results, each entry on a new line and it will be continuous line. It won’t move it to the next row.
So as we can see here now we have a proper time stamp, date and time, we have the source and the destination which were actually resolved as we can see because of the results.
If we do nn it will not resolve them.
And then we have the IP address, the source, the port, the destination of the port, we have the flag, like for example fin or sin or reset or whatever. We have the sequence of the packet and all additional information from that packet.
This is reading a captured packet so you can actually move back and forward in this.
You can use simple less filters for the IP address. For example, 16, and there you have it.
Optionally, you can do the other thing as well. You can just type host 192.168.1.1 and it should produce you all the results from that packet only for the IP address you’re interested in.
Or if you like you can just use again port 80 and unfortunately there is no traffic on port 80, but I think you get the idea.
So what is the ttt or the tttt?
To check the TcpDump options and all the flags and all the commands you can add to it, you can use man tcpdump.
This will give you the manual page.
And here as you see there is a lot of options available. There is some information also about it. So we want to look for the tttt now and we just use a quick search option and there it is.
–tttt will “Print the timestamp as hours, minutes, seconds, and fractions of a second since midnight preceded by the date on each dump line.”
If we use it five times it will give us some delta, time, micro-second resolution and things like that.
So ‘v’ for verbose, ‘vv’ or ‘vvv’. You’ll see also lowercase ‘-w’ which means basically write to file option.
There it is, -w. “Write the raw packet to a file rather than parsing it.”
So this is pretty much a quick introduction of TcpDump and what you can do with it.
Another great thing about it is that for example, the file which we did is test.pcap.
We can open Wireshark and then with Wireshark I can open the file and read it through the Wireshark interface and it will be exactly the same file and it will give me exactly the same information.
So there is TcpDump, very quickly and briefly about what you can do with it. Just go and play with the options and look around.
Thank you very much and I’ll catch you on the next video.
Thank you very much for watching this video tutorial.
What you’ve just seen is a part of the Pass the Certified Ethical Hacking Exam: CEH Version 10! course that we have on uthena.com.
This course has all the rest of the videos that you might love and enjoy related to the one you just saw. Will you please use the link in the description to enroll in the course, because I imagine since you’ve finished this video you will love taking the full course.
You can see the full course starts with module 1 and is organized by modules matching the Certified Ethical Hacking exam exactly by section.
Module 2 Footprinting and Reconnaissance.
Section 3 Networks.
Section 4 Enumeration.
We’ve got through to module 11 right now. We’re filming the course and when you take a look at the landing page we will finish this course and get it up to a full 20 modules for you, and include anything else necessary at the end.
In addition to just the videos in this course, you also get access to our Facebook group and Discord Server where you can ask certified ethical hackers questions and get answers. Which that to me is the best value of the course above and beyond the videos.
If you just love learning ethical hacking and you want to always stay up-to-date and you don’t ever want to have to buy another course again, we’ve got an Ethical Hacking Forever course bundle I imagine you will love.
Because this one bundle includes six Ethical Hacking courses, currently over 50 hours of video today in all of these courses.
And with a Forever bundle you get all of the courses we add to this forever without having to pay again.
I intend to make new Ethical Hacking courses every year. At least a new course or two every year indefinitely.
All of those get added to the bundle without you needing to buy any of the additional courses again.
This course, in addition to the six here, you get all that are added for life through this bundle.
We appreciate the chance to serve you today. You also help pay for these new courses to be produced when you buy the bundle. We’re very grateful for that.
If you just can’t get enough of Jerry Banfield you can also get the Jerry Banfield Forever bundle.
This includes all the courses I make forever on any subject.
And I get really excited every time I see these purchases. I had just went to the bathroom the other day and I saw a notification on PayPal that you sold a bundle and I got really excited and I even sent the student that bought it an email saying, “Thank you very much for purchasing this bundle.”
I get so excited seeing these Forever bundles sales so thank you for giving me the chance to serve you today.
I imagine you will love watching more videos with me, maybe taking some courses. You can watch on Facebook and YouTube. That is a great way to keep up.
If you like watching on YouTube, will you please subscribe on YouTube.
If you’d like to also have the option to watch these videos on Facebook, will you please go to facebook.com/jbanfield, because you might love and enjoy seeing these videos there in addition to my gaming live videos.
You want to see everything, twitter.com is a great place to follow where you can see all the new podcast episodes, everything I make all in one spot and jerrybanfield.com has links to all my courses, books, and anything else you could possibly want from me.
I love you.
I imagine you’ll leave a like on this video if you found it helpful, and I expect you, since you’ve got to the very last part of it, I’ll see you again soon.
Where to see more.
Wow, while I’m asking you to do all these things I might as well just keep asking things, see how many of you will go for it, right?
So let’s ask you now. Will you please follow on Twitter, because I think you’ll love getting to see everything at one place.
On jerrybanfield.com, I’ve got tons of blog posts, books, and YouTube videos and you can see all of those. Gaming everything will be right in your Twitter feed so that when you follow me there’s going to be so much stuff you won’t even hardly be able to see anything else.